White Hat Spoofs 2FA, Sends User to Phishing Page

Social engineering tactics are the bread and butter of hackers. Preying on trust, malicious actors are able to lure users into sharing personal information, even login credentials.

White hat hackers will often leverage these same tactics for good, which Kevin Mitnick, chief hacking officer, KnowBe4 demonstrated in a public video where he used a new exploit to hack LinkedIn's two-factor authentication (2FA).

When 2FA is enabled and a user attempts to log in to a website, they first have to enter a code. As an additional layer of security intended to verify the authenticity of the user, that code is sent via email or SMS.

Using a tool called Evilginx, developed by white hat hacker Kuba Gretzky, Mitnick bypassed 2FA by sending a user to a fake login page.

TechCrunch reported, "By convincing a victim to visit a typo-squatting domain liked 'LunkedIn.com' and capturing the login, password, and authentication code, the hacker can pass the credentials to the actual site and capture the session cookie. Once this is done the hacker can login indefinitely."

Despite being an additional layer of security, 2FA is vulnerable to attackers like any other technology. "This attack demonstrates that even multifactor authentication has inherent weaknesses. A more reliable 2FA approach includes push notifications via the authentication app itself, as well as ‘what-you-have’ hardware devices like a Yubikey," said Zack Allen, manager of threat operations, ZeroFOX.

"2FA is an excellent first step in ensuring that accounts are not hijacked," said Allen, "but as demonstrated in this example, attacks like phishing, social engineering, and spoofing still have serious consequences. People and businesses alike are looking to more comprehensive education- and technology-based solutions for staying safe online."

Even with controls like 2FA in place, businesses and individuals need to be wary of the security implications of networks, which is why security awareness education is critical. Users need to keep abreast of possible risks.

Because the issues demonstrated have been well known for at least a decade, many, including NIST, have recommended that organizations not trust SMS based 2FA, said Steve Manzuik, director of security research, Duo Security.

"Even in the scenario where a one-time passcode (OTP) is issued, it can be phished by even low-skilled attackers. This demonstrates why SMS/OTP–type 2FA is weaker than using approaches designed specifically for authentication, as they do not require the user to enter a one-time passcode," said Manzuik.